A Chinese-linked threat group identified as “Ink Dragon” is targeting common weaknesses in Internet Information Services (IIS) servers to build a global espionage network that is difficult to track or disrupt, security vendor Check Point has reported.

Also nicknamed “Earth Alux,” (Trend Mico) and “REF7707” (Elastic Security Labs), the group’s activities date back to early 2023, at which time it targeted governments in Southeast Asia and South America. This has since expanded to target European countries.

Ink Dragon might sound similar in its modus operandi to several other Chinese threat groups engaged in nation-state surveillance, such as UNC6384, whose campaigns targeted European diplomats.

However, during a recent investigation at the office of a European government, Check Point said it had discovered that the group has now pivoted towards what it called “an unusually sophisticated playbook” with longer term goals.

Key to this is IIS, Microsoft’s aging web server platform, which is still present in many networks, especially those in the public sector. This platform holds two attractions: it is widely deployed, and is often misconfigured and insecure.

The campaign begins when attackers compromise an IIS server, gain access to the internal network where they harvest local credentials, study admin sessions, using these and Microsoft Remote Desktop to move laterally without attracting attention. At this point, the group installs a customized IIS module that turns the server into an invisible “quiet” relay inside the group’s wider global infrastructure.

“These servers forward commands and data between different victims, creating a communication mesh that hides the true origin of the attack traffic,” explain Check Point’s researchers.

Shadow infrastructure

The attack has two goals: to compromise government servers and plunder their networks for intelligence while, secondly, borrowing them to relay attack traffic to and from other compromised servers in a way that makes detecting the group’s command & control (C2) much harder.

This tactic cleverly dodges the problem of having to rely on conventional C2 infrastructure which is vulnerable to takedown and disruption. Instead, the hijacked and trusted government servers become the infrastructure.

“Across incidents, the same story repeats. A small web facing issue becomes the first step. A series of quiet pivots leads to domain level control. The environment is then repurposed as part of a larger network that powers operations against additional targets,” said Check Point. As to the traffic itself, the group hides communication inside ordinary mailbox drafts, making it look like everyday communication.

Coincidentally, Check Point found that a second Chinese threat group, RudePanda, was simultaneously exploiting IIS weaknesses to compromise government servers. This meant that RudePanda “ended up operating in the same [compromised] environments at the same time.”

The discoveries underscore the issue of IIS misconfiguration. Beyond listing the group’s indicators of compromise (IoCs), Check Points offers no specific advice on how to counter this. Nevertheless, some actions suggest themselves: audit the modules running on IIS against a known good baseline, enable advanced IIS logging, configure IIS to make common view state vulnerabilities less likely, and consider putting IIS servers behind a web application firewall (WAF).

SUBSCRIBE TO OUR NEWSLETTER

From our editors straight to your inbox

Get started by entering your email address below.